I would be fairly comfortable running a direct WireGuard connection even without Tailscale, but my location and use case simply won’t allow me to.

Your setup is valid, nothing wrong with it, and yes, it is more secure. Just can’t be used in my case.

I mean any connection through these protocols is just not working over the Internet. DPI equipment detects respective packets and cuts the connection, irrespective of the port you assign.

Yep

It’s not illegal to use VPN in my area, but connections are blocked on a protocol level, both through OpenVPN and Wireguard.

I already managed to make caddy work, so, hooray!

I also found a setting on my router that fully isolates certain devices from the local network. I want to put the server in there, so that the rest of my LAN is not under threat. I also want to figure out VLANs.

That’s a good piece of advice, but due to several considerations (extreme censorship interrupting VPN connections, family using NAS for automatic backups, and some others) I cannot go that route.

For now I’m only toying around, experimenting a little - and then closing ports and turning my Pi off. I do have my NAS constantly exposed, but it is solidly hardened (firewall, no SSH, IP bans for unauthorized actions, etc. etc.), fully updated, hosts no sensitive data, and all that is important is backed up on an offline drive.

Yep!

For me it’s a sense of reliability and control - my stack will keep working even if new censorship rolls out (I live in a heavily censored and sanctioned jurisdiction), or if there’s a global outage, or whatever else. I am also the sole authority over my piece of the Internet, and no one can do anything to alter it or take it away.

Update: tried Caddy, love it, dead simple, super fast, and absolutely works!

Yep, sharing stuff for others requires more expertise, as I’ll get responsible for other people’s experience. If I screw something up now, only I will be affected.

Thanks for clarification!

For now just some experiments alongside NAS

Planning to host Bitwarden, Wallabag and other niceties on the server, and then when I get something more powerful, spin up Minecraft server and stuff

I’d love to eventually have a 10gbps LAN, yep :)

I’d also love to explore the technology going into cloud gaming, so not only would I launch games using files laying on the server, but could actually play them everywhere from my energy efficient potato laptop :D

But that’s long ahead and more of an “if it even works properly”

In what way? It is a physical server located in my bedroom, sharing resources online.

Drives are somewhat noisy (even though I took fairly quiet ones) and I appreciate total silence at night. Unfortunately, I don’t have many places to put it outside my single room, so there’s that.

I’d love to move to SSDs for storage at some point (I know it’s controversial, but they would fit my use case better), but for now it’s too expensive for me.

Thanks! I got that advice as well, but I would like to keep it self-hosted - I consider using Pangolin on a VPS for that purpose going forward: https://github.com/fosrl/pangolin

Also, beware of the new attack on Cloudflare Tunnel: https://www.csoonline.com/article/4009636/phishing-campaign-abuses-cloudflare-tunnels-to-sneak-malware-past-firewalls.html

Thanks, I will! Wise of you not to share it publicly.

Yes, I know where this feature is in the settings, but it’s got its own issues and I also turn the NAS off for the night, so it’s not an option for me.

Guess I am going ahead of myself, yes, which gets even more complicated by having another server (Synology NAS) already installed and messing with networking a little, as internal settings appear to expect the NAS to be the only exposed thing on the network.

Thanks for the link! I’ve seen that thumbnail, but most guides are solely focused on actually installing Nginx Proxy Manager, which is the easy part, and skip the rest, so I glanced that one over.

P.S. Looks like I did everything right, I just need to sort my SSL stuff to work properly.

Pretty solid! Though insta-ban on everything :80/443 may backfire - too easy to just enter the domain name without subdomain by accident.

Nice to know!